Block deletions of resources with active consumers + tests

Author: wtripp180901

coral_credits/api/views.py

@@ -15,6 +15,14 @@
 
 LOG = logging.getLogger(__name__)
 
+def destroy_if_no_active_consumers(linked_consumers_queryset, request, destroy_super):
+    
+    current_time = make_aware(datetime.now())
+    for consumer in linked_consumers_queryset:
+        if current_time < consumer.end:
+            return _http_403_forbidden(repr(db_exceptions.ActiveConsumersInAllocation))
+    else:
+        return destroy_super.destroy(request)
 
 class CreditAllocationViewSet(viewsets.ModelViewSet):
     queryset = models.CreditAllocation.objects.all()
@@ -23,15 +31,10 @@ class CreditAllocationViewSet(viewsets.ModelViewSet):
 
     def destroy(self, request, pk=None):
         allocation = get_object_or_404(self.queryset, pk=pk)
-        active_consumers = models.Consumer.objects.filter(
+        linked_consumers = models.Consumer.objects.filter(
             resource_provider_account__account__pk=allocation.account.pk
         )
-        current_time = make_aware(datetime.now())
-        for consumer in active_consumers:
-            if current_time < consumer.end:
-                return _http_403_forbidden(repr(db_exceptions.ActiveConsumersInAllocation))
-        else:
-            return super().destroy(request)
+        return destroy_if_no_active_consumers(linked_consumers, request, super())
 
 
 class CreditAllocationResourceViewSet(viewsets.ModelViewSet):
@@ -88,6 +91,13 @@ def create(self, request, allocation_pk=None):
 
     def update(self, request, allocation_pk=None, pk=None):
         return self._create_update_credit_allocations(request, allocation_pk)
+    
+    def destroy(self, request, allocation_pk=None, pk=None):
+        resource = get_object_or_404(self.get_queryset(), pk=pk)
+        linked_consumers = models.Consumer.objects.filter(
+            resource_provider_account__account__pk=resource.allocation.account.pk
+        )
+        return destroy_if_no_active_consumers(linked_consumers, request, super())
 
     def _validate_request(self, request):
 
@@ -111,12 +121,25 @@ class ResourceProviderViewSet(viewsets.ModelViewSet):
     serializer_class = serializers.ResourceProviderSerializer
     permission_classes = [permissions.IsAuthenticated]
 
+    def destroy(self, request, pk=None):
+        rpa = get_object_or_404(self.queryset, pk=pk)
+        linked_consumers = models.Consumer.objects.filter(
+            resource_provider_account__pk=rpa.pk
+        )
+        return destroy_if_no_active_consumers(linked_consumers, request, super())
 
 class ResourceProviderAccountViewSet(viewsets.ModelViewSet):
     queryset = models.ResourceProviderAccount.objects.all()
     serializer_class = serializers.ResourceProviderAccountSerializer
     permission_classes = [permissions.IsAuthenticated]
 
+    def destroy(self, request, pk=None):
+        provider = get_object_or_404(self.queryset, pk=pk)
+        linked_consumers = models.Consumer.objects.filter(
+            resource_provider_account__provider__pk=provider.pk
+        )
+        return destroy_if_no_active_consumers(linked_consumers, request, super())
+
 
 class AccountViewSet(viewsets.ModelViewSet):
     queryset = models.CreditAccount.objects.all()
@@ -183,6 +206,13 @@ def retrieve(self, request, pk=None):
                             )
 
         return Response(account_summary)
+    
+    def destroy(self, request, pk=None):
+        account = get_object_or_404(self.queryset, pk=pk)
+        linked_consumers = models.Consumer.objects.filter(
+            resource_provider_account__account__pk=account.pk
+        )
+        return destroy_if_no_active_consumers(linked_consumers, request, super())
 
 
 class ConsumerViewSet(viewsets.ModelViewSet):

tofu/.gitignore

@@ -11,13 +11,6 @@ tests/__pycache__/**
 crash.log
 crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf

tofu/tests/tofu_configs/delete-active.tfvars

@@ -0,0 +1,33 @@
+resource_provider_name     = "Test Provider"
+resource_provider_email    = "[email protected]"
+resource_provider_info_url = "https://www.google.com"
+
+accounts = [
+  {
+    name                 = "TestAccount1"
+    email                = "[email protected]"
+    openstack_project_id = "c2eced313b324cdb8e670e6e30bf387d"
+  },
+  {
+    name                 = "TestAccount2"
+    email                = "[email protected]"
+    openstack_project_id = "2fbf511968aa443e883a82283b0f0160"
+  }
+]
+
+allocations = {
+  Q2 = {
+    start_date = "2026-01-01-12:00:00"
+    end_date   = "2026-04-01-12:00:00"
+    projects = [
+      {
+        account_email = "[email protected]"
+        resources = {
+          VCPU    = 80000
+          MEMORY_MB  = 8000000
+          DISK_GB = 300000
+        }
+      }
+    ]
+  }
+}

tofu/tests/tofu_configs/initial.tfvars

@@ -0,0 +1,62 @@
+# coral_uri = "http://credits.apps.<azimuth-domain>"
+# auth_token = Get bearer token with `curl -X POST -H "Content-Type: application/json" -d \
+#    "{
+#        \"username\": \"admin\", 
+#        \"password\": \"$TEST_PASSWORD\"
+#    }" \ http://credits.apps.<azimuth-domain>/api_auth_token/
+
+resource_provider_name     = "Test Provider"
+resource_provider_email    = "[email protected]"
+resource_provider_info_url = "https://www.google.com"
+
+accounts = [
+  {
+    name                 = "TestAccount1"
+    email                = "[email protected]"
+    openstack_project_id = "c2eced313b324cdb8e670e6e30bf387d"
+  },
+  {
+    name                 = "TestAccount2"
+    email                = "[email protected]"
+    openstack_project_id = "2fbf511968aa443e883a82283b0f0160"
+  }
+]
+
+allocations = {
+  Q1 = {
+    start_date = "2025-09-01-12:00:00"
+    end_date   = "2025-12-01-12:00:00"
+    projects = [
+      {
+        account_email = "[email protected]"
+        resources = {
+          VCPU    = 40000
+          MEMORY_MB  = 4423680
+          DISK_GB = 108000
+        }
+      },
+      {
+        account_email = "[email protected]"
+        resources = {
+          VCPU    = 20000
+          MEMORY_MB  = 2000000
+          DISK_GB = 200000
+        }
+      }
+    ]
+  }
+  Q2 = {
+    start_date = "2026-01-01-12:00:00"
+    end_date   = "2026-04-01-12:00:00"
+    projects = [
+      {
+        account_email = "[email protected]"
+        resources = {
+          VCPU    = 80000
+          MEMORY_MB  = 8000000
+          DISK_GB = 300000
+        }
+      }
+    ]
+  }
+}

tofu/tests/tofu_tests.py

@@ -45,13 +45,13 @@ def get_lease_request_json():
 @pytest.fixture(scope="session")
 def terraform_rest_setup():
     working_dir = os.path.join(os.path.dirname(__file__), "..")
-    var_file = os.path.join(working_dir, "example-config.tfvars")
+    var_file = os.path.join(working_dir, "tests", "tofu_configs", "initial.tfvars")
 
     tf = Tofu(cwd=working_dir)
     tf.init()
     tf.apply(extra_args=["--var-file="+var_file])
 
-    yield
+    yield tf
 
     destroy = tf.apply(extra_args=["--var-file="+var_file],destroy=True)
     assert len(destroy.errors) == 0
@@ -66,15 +66,20 @@ def add_consumer_request(terraform_rest_setup):
         },
         json=lease_request_json
     )
-    yield consumer.status_code
+    yield dict(status = consumer.status_code, tf_workspace = terraform_rest_setup)
     requests.post(coral_uri+"/consumer/on-end",headers={
             "Authorization": "Bearer "+os.environ.get("TF_VAR_auth_token"),
             "Content-Type": "application/json"
         },
         json=lease_request_json
     )
 
-# def test_allocation_resources_still_consumed_by_deleted_consumers
+@pytest.fixture(scope="session")
+def try_delete_active_allocation(add_consumer_request):
+    delete_file = os.path.join(os.path.dirname(__file__), "..", "tests", "tofu_configs", "delete-active.tfvars")
+    try_delete = add_consumer_request["tf_workspace"].apply(extra_args=["--var-file="+delete_file])
+    return len(try_delete.errors)
+
 
 def api_get_request(resource):
     return requests.get(coral_uri+"/"+resource,headers=headers).json()
@@ -156,8 +161,24 @@ def test_resource_allocations_created(terraform_rest_setup):
     assert allocation_resources["Q1-1"] == {"VCPU": 20000, "MEMORY_MB": 2000000, "DISK_GB": 200000}
     assert allocation_resources["Q2-0"] == {"VCPU": 80000, "MEMORY_MB": 8000000, "DISK_GB": 300000}
 
+def test_resources_consumed_by_consumers(add_consumer_request):
+    raise NotImplementedError()
+
+def test_resources_still_consumed_after_consumer_delete():
+    raise NotImplementedError()
+
 def test_consumer_added_or_exists(add_consumer_request):
-    assert add_consumer_request == 204
+    assert add_consumer_request["status"] == 204
 
 def test_can_query_consumer(add_consumer_request):
     assert len(api_get_request("consumer")) == 1
+
+def test_delete_allocation_with_consumer_forbidden(try_delete_active_allocation):
+    assert try_delete_active_allocation > 0
+
+def test_delete_active_allocation_resources_fails(try_delete_active_allocation):
+    allocations = api_get_request("allocation")
+    q1_allocations = [a for a in allocations if a["name"][:2] == "Q1"]
+    for alloc in q1_allocations:
+        tst = api_get_request("allocation/"+str(alloc["id"])+"/resources")
+        assert len(tst) == 3